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Motivation 


*  Possibility  of  Denial  of  Service  (DoS)  attacks  in  the  MAC 
layer 

*  MAC  and  routing  layers  interact 

*  Current  protocols  offer  insufficient  cross-layer 
interaction 

*  Possible  to  cause  an  attack  by  manipulating  traffic  in 
the  MAC  layer  and  propagate  attack  to  the  routing  layer 

*  Need  for  additional  interaction  between  MAC  and 
routing: 

-  MAC  needs  to  pass  information  to  routing  in  case  of  congestion 

-  Routing  decides  on  new  routes  that  are  not  affected  by 
congestion; 

-  IDS  makes  sure  the  new  routes  don’t  contain  malicious  nodes 

*  Goal:  Detect  the  intrusion,  minimizing  detection  time 
tn  and  the  number  of  false  alarms,  while  maximizing 
me  probability  o  f  detection  PD 
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MAC  Layer  Issues 


•  Issues: 

-  How  to  differentiate  between  an  attack  and 
congestion  in  wireless  networks? 

-  Randomness  of  Contention  Window  (CW)  brings 
additional  uncertainty  in  detection  process 

-  How  long  a  node  can  stay  malicious  without  being 
detected?  What  does  it  do  in  case  of  collision? 

-  Is  it  realistic  to  assume  the  existence  of  stealthy 
attacks? 

-  What  is  the  number  of  nodes  needed  for  attack 
detection,  in  particular  partition  detection? 

-  Which  parameters  MAC  and  routing  need  to 
measure  and  exchange  for  efficient  cross-layer 
Intrusion  Detection  Scheme? 
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Routing  issues 


•  Routing  does  influence  the  performance  of  MAC 

•  Routing  chooses  routes  independently  of  MAC 

•  MAC  only  forwards  the  packet  to  the  given  node-^may 
lead  to  failures 

•  Due  to  congestion  and  interference,  MAC  may  not  be 
able  to  deliver  the  packet 

•  Routing  uses  alternate  route  which  is  in  vicinity  of 
existing  one -►most  likely  unsuccessfully! 

•  Solution:  let  MAC  and  routing  interact  with  each  other 
and  with  the  IDS 

•  IDS:  has  past  behavior  patterns  and  information  from 
both  MAC  and  routing; 

•  Delivers  final  decision 

•  Communicates  with  routing  and  MAC 
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Systems  Engineering  B 
Integration  Laboratory 


MAC  issues 


•  Even  without  attacks  MAC  suffers  from  several  problems: 

-  RTS/CTS  propagation 

-  Unfairness  due  to  exponential  backoff 

-  Path  interference  -  can  lead  to  chain  reaction  Jf  attacked  this  way,  not 
likely  to  find  the  attacker! 


•  Solution: 

-  Avoid  interfering  paths 


•  How? 

-  Conflict  graphs 


:  nodes  silenced  due  to 
RTS  of  neighboring  nodes 

:  initial  sender 
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Possible  Attacks 


Attack  1 


M  “blocks”  D 
from  communicating 


Attack  2 


Two  colluding  attackers  Ml  and  M2 

First  transmission  Ml  A 
X  has  to  defer 


Second  transmission  M2  B 
X  has  to  defer 

M1?  M2  synchronize 
D  is  “blocked”  from  communicating 
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Node  classification 


•  Normal 

-  Obeys  the  rules  of  MAC  layer  protocols  when  both  sending  and  receiving 
packets. 

-  Will  not  behave  selfishly  and  will  reply  to  RTS  requests  from  other  nodes 

-  Will  update  their  CW,  NAV  etc.  according  to  the  rules  of  the  protocol 

•  Misbehaving 

-  Goal:  gain  priority  in  the  network  or  disrupt  already  existing  routes. 

-  Usually  change  the  value  of  CW,  NAV  value,  Duration/ID  field  in  the  packet,  etc. 

•  Malicious 

-  All  communication  done  following  the  MAC  layer  protocol 

-  Will  employ  legitimate  communications  which  result  in  DoS  in  one  or  multiple 
nodes  and  attack  propagation  through  the  network. 

•  Issues: 

-  best  strategy  for  detection  of  misbehaving  nodes 

-  How  long  a  malicious  node  can  stay  malicious?  Will  it  eventually  collide  with 
normal  node? 

-  What  is  the  best  strategy  to  stay  undetected? 

-  What  about  colluding  nodes? 
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Formal  Model 


WFACK 


MAC  protocols  easier  to  model 
than  routing 

Represent  MAC  protocols  in 
the  form  of  EFSMs 
Need  to  impose  time  constraints 
In  combination  with  logic  useful 
as  addition  to  IDS 


T_RTS:  transmit  RTS 

R_RTS:  receive  RTS 

T_DATA:  transmit  data 

WFCTS:  wait  for  CTS 

WFACK:  wait  for  acknowledgement 

R_ACK:  receive  ACK 

TO:  counter  timed  out 
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Cross-layer  scheme 


•  Routing  sends  several  choices  to  MAC 

•  MAC  uses:  local  detection,  interference  information, 
information  from  the  physical  layer, . . . 

•  MAC  delivers  the  result  back  to  routing  _  subset  of  original 
routes 

•  Consults  IDS  if  necessary->global  detection 
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Detection  scheme  in  MAC 


Local  information 


•  Input:  local  information 

•  Local  detection:  use  Neyman-Pearson  rule  to  detect  the  attack 

•  If  not  able  to  decide  forward  to  IDS  and  let  it  decide 

•  Issue  local  (global)  response  and  exchange  the  information  with  routing 
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Local  Detection 


P(Receiver  =  busy\Sender  =busy)  =  1 
P(Receiver  =  busy\Sender  =  idle )  =  p 
Hypothesis  testing: 

H0  =  Sender  is  normal 
H]  =  Sender  is  malicious 

Log-likelihood  defined  as: 


PH 


o 


> 

< 
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Local  Detection 


•  Due  to  channel  conditions  the  receiver  may  not 
count  the  backoff  correctly 

Bs  :  the  actual  backoff  of  sender 

Br :  backoff  observed  at  the  receiver  side 

Bt :  threshold  for  backoff 

Two  cases: 


Br^Bt'-PH=^A  PH,  =  0 


Br  <  Bt :  PH  =  P(BS  >  B:  |  B  <  B  )  =  P{  making  more  than  Bt  -  Br  errors) 
PHi  =  P(BS  <  B.  B,  <  B, )  =  /J( making [0, Bt-Br)  errors) 
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Local  Detection 


•  For  Br<Bt  log-likelihood  ratio  becomes: 

Hi 

R  > 

p  r  r\',r\'=  f(rj ,  Bt ,  assigned  backoff ) 

Ho 

•  Decision  rule: 

Hl  :Br  <r\' 

H0:Br>  77' 

H{  with  probability  y :  Br  =r\' 


June  2,  2004 


©  CSHCN  2004 


13 


APPROVED  FOR  PUBLIC  RELEASE 


T  radeoffs 


•  If  Br  is  increased,  the  number  of  errors  is  decreased 
(probability  of  correct,  fastest  detection  increases). 

•  Log-likelihood  ratio  decreases  with  Br  increasing. 

•  When  Br  increases  the  probability  of  classifying  the  node 
as  normal  increases. 

•  But  the  probability  of  false  alarm  increases 

•  Concerned  about  the  probability  of  false  alarm 

•  When  backoff  not  fixed  even  normal  nodes  can  transmit 
after  a  small  number  of  idle  slots. 

•  When  backoff  fixed,  concerned  about  colluding  nodes 
and  malicious  nodes  listening  to  my  transmission 
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Distributed  detection 


•  Helps  in  decreasing  number  of  false  alarms  and 
missing  attacks 

•  NP  rule  for  distributed  detection: 

-  For  a  predetermined  probability  of  false  alarm,  PF=_,  find 
optimum  local  and  global  decision  rules  r  =  (y0,y|v..,yv) 

that  minimize  the  global  probability  of  miss 

•  Vector  of  local  observations:  B0  =  ,...,6  j 

•  Each  node  makes  decisions  based  on  local  observations 
and  sends  its  log-likelihood  ratio  to  IDS 

•  Local  decision  vector:  u  =  fyl,...,uN} 

•  Global  decision  vector:  u0  =  y0(u),u0  =  {0,1} 
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Distributed  Detection 


•  Optimal  test  given  by: 


A  (u)  = 


P(u  |  //, ) 

Piu  \H0) 


>  A0 ,  decide  Hl 
=  decide  Ht  with  prob.  y 
<  A0 ,  decide  H{) 


•  Special  case:  PD  of  all  nodes  are  identical  and  PF  of  all 

nodes  are  identical  «, 

•  The  optimal  decision  rule  becomes: 

k:  number  of  nodes  choosing  H1 

T]'=f{PD,PF,N,vi) 
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Attack  Detection 


•  For  detection  of  more  sophisticated  attacks  we  formulate 
theorems  (series  of  rules  a  fault-free  MAC  protocol  cannot 
violate) 

-  e.g.  cannot  violate  exponentially  growing  contention  window  w.r.  to 
next  successful  transmission  time 

•  For  attack  detection  Automatic  Model  Checking  is  executed 
with  input  of  the  relevant  rule  (theorem)  parameters  from  the 
nodes  under  examination 

•  Non-allowed  behaviors  of  system  denoted  as  a, 

•  Safety  behavior:  a 

•  a  is  satisfied  when  la,  a  la2  a  . . .  a  lcn  are  satisfied 

•  If  there  is  a,  s.t.  the  safe  behavior  is  violated,  the  model 

checker  goes  backwards  and  saves  the  time  history 

together  with  values  of  related  variables 

•  This  scheme  can  be  used  for  automatic  attack/fault  generation 
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Attack  Detection 


•  The  vulnerable  period  of  IEEE  802.1 1  MAC  is  in 
RTS/CTS  exchange 

•  We  formulate  the  following  theorem: 

-Two  processes  cannot  be  in  their  critical  section  at  the 
same  time: 

A  G(—(Pi  .s  =  c  aPj.s  =  c )) 

-  A  process  that  wants  to  enter  its  critical  section  is 
eventually  able  to  do  so: 

AG(Prs  =  A=>  AF(Pi.s  =  c)) 

•  First  rule  helpful  in  case  when  other  nodes  assign  backoff 
to  sender! 
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Results 


Attacks  propagate  from  MAC  to  routing  disabling  key  nodes: 
Attack  1  results:  Attack  2  results: 
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Conclusions 


•  Need  to  implement  cooperation  between  MAC  and 
routing  to  be  able  to  detect  attacks  more  efficiently 

•  Other  attacks  apart  from  CW  misuse  exist:  NAV,  other 
kinds  of  backoff  counter  abuse,  ... 

•  MAC  can  be  modeled  using  Formal  Models 

•  Duration  of  malicious  behavior  depends  on  the  traffic 

•  Stealthy  attacks  exist  in  short  term,  long-term  existence 
depends  on  traffic  and  interference 

•  Conflict  graphs  good  approach  for  solving  problems  of 
interference 

•  Need  to  simplify  the  problem  since  it’s  NP-complete! 


June  2,  2004 


©  CSHCN  2004 


20 


APPROVED  FOR  PUBLIC  RELEASE 


Future  Work 


•  Construct  an  Intrusion  Detection  System  with  ability  to  detect 
and  classify  known  attacks  using  techniques  presented  and 
detect  unknown  attacks  using  a  database  of  attack  features 

•  How  to  detect  anomalies  in  wireless  networks? 

•  Model  other  MAC  protocols  using  EFSMs 

•  Use  the  system  for  online  attack  generation  that  are  passed  to 
IDS  and  added  to  existing  database  of  attacks 

•  Event  ordering  and  correct  timing  have  crucial  roles  in  MAC 
protocols:  necessary  to  use  ordered  models  of  execution 
with  explicit  timings 

•  Define  the  ordered  model  of  execution  with  multiple  goals 

•  Describe  changes  in  state  variables  that  lead  to  certain  states 
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Future  Work  (cont.) 


•  Enable  automatic  attack  generation  using  EFSM  models  of 
MAC  layer 

•  Challenges: 

-  Range  of  attacks  is  much  wider  in  wireless  than  in  wired  networks; 

-  How  to  distinguish  between  an  attack  and  high  volume  of  traffic? 

-  Which  parameters  to  exchange  between  layers  to  achieve  efficient 
intrusion  detection? 

-  How  to  detect  unknown  attacks  without  high  false  positive  rate? 

-  Lack  of  data  for  testing;  collaboration  with  industry  and  DoD  Labs 

•  Potential  approach  -  combination  of  model  checking  and 
theorem  proving  techniques. 

•  Plan  to  use  a  combination  of  analytical  techniques  from 
graph  theory,  dynamic  games,  distributed  detection, 
temporal  logic,  hybrid  automata 
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